United States: SEC Adopts Final Rules On Cybersecurity Risk Management, Strategy, Governance And Incident Disclosure By Public Companies

On July 26, 2023, the U.S. Securities and Exchange Commission (SEC) adopted final rules requiring U.S. public companies to disclose material cybersecurity incidents on Form 8-K and, on an annual basis, disclose material information regarding their cybersecurity risk management, strategy and governance on Form 10-K. The final rules also require foreign private issuers to make comparable disclosures on Forms 6-K and 20-F.

The SEC observed that disclosure practices regarding cybersecurity incidents, risk management and governance have been inconsistent, despite interpretive guidance issued by the SEC in 2011 and 2018. The SEC indicated that the final rules are intended to result in enhanced, consistent, comparable and decision-useful disclosures that would allow investors to evaluate public companies' exposure to material cybersecurity risks and incidents and their ability to manage and mitigate those risks.

In a departure from the proposed rules, the final rules do not require quarterly disclosures under Form 10-Q, but rather periodic amendments to Form 8-K?and they do not require registrants to identify a board cybersecurity expert. Additionally, the rules explicitly exempt (i) asset-backed security issuers and (ii) Canadian issuers who file Form 40-F and other SEC reports under the U.S.-Canada multijurisdictional disclosure system.

In adopting the new final rules, SEC Chair Gary Gensler commented:

Currently, many public companies provide cybersecurity disclosure to investors. I think companies and investors alike, however, would benefit if this disclosure were made in a more consistent, comparable, and decision-useful way. Through helping to ensure that companies disclose material cybersecurity information, today's rules will benefit investors, companies, and the markets connecting them.

The new rules were adopted on a 3-2 vote by the Commission. In her dissenting statement, Commissioner Hester Pierce commented that, although she believed new cybersecurity rules were not required, she:

[C]ould have supported a cyber rule designed to guide public companies in their obligation to disclose material cyber risks and material cyber incidents in a way that would be net-beneficial to investors. Today's rule, by contrast, reads like a test run for future overly prescriptive, overly costly disclosure rules covering a never-ending list of hot topics.

Form 8-K Reporting Requirements

The final rules add a new Item 1.05 to Form 8-K, requiring a registrant to disclose any cybersecurity incident¹ it determines to be material and to describe the material aspects of the incident's nature, scope and timing, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations.

Similar to other Form 8-K items, Item 1.05 will require the disclosure of material cybersecurity incidents within four business days. However, the trigger date for the disclosure is the date of the registrant's determination that a cybersecurity incident is material, rather than the date of discovery of the incident (although the materiality determination must be made without unreasonable delay after discovery of the incident). A registrant's materiality determination may depend on, alongside quantitative factors, qualitative factors such as the possibility of litigation or regulatory investigations or actions, whether initiated by state, federal or non-U.S. regulatory or governmental authorities. The disclosure may be delayed for up to 30 days if the U.S. Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety and notifies the SEC of such determination in writing. This delay may be extended for a final additional period of up to 60 days if the Attorney General determines that a disclosure continues to present a substantial risk to national security and notifies the SEC in writing. Notably, an untimely filing of an Item 1.05 Form 8-K does not result in the loss of Form S-3 eligibility and is covered by a limited safe harbor for Section 10(b) and Rule 10b-5 liability.

If the information regarding such material aspects or material impact (or reasonably likely material impact) was not determined or was unavailable at the time of the initial Item 1.05 Form 8-K filing, registrants will be required to amend it to disclose such information within four business days after the registrant, without unreasonable delay, determines such information, or within four business days after such information becomes available. Registrants are reminded, however, that they have a duty to correct prior disclosures they later determine are (i) untrue or (ii) missing a material fact necessary to make the disclosure not misleading at the time the disclosure was made.

Additionally, the final rules include an instruction that a registrant is not required to disclose specific or technical information about its planned response to the incident or its cybersecurity systems, related networks and devices, or potential system vulnerabilities in such detail that disclosure would impede the registrant's response or remediation of the incident.

Foreign private issuers will be required to provide disclosures regarding material cybersecurity incidents that it makes or is required to make public or required to disclose in a foreign jurisdiction to a stock exchange or to security holders on Form 6-K.

Form 10-K Disclosure Requirements

Risk Management and Strategy

New Regulation S-K Item 106(b) will require registrants to describe their processes, if any, for assessing, identifying and managing material risks from cybersecurity threats, including whether the registrant or its business strategy, operations or financial condition has been or is reasonably likely to be materially affected by any previous cybersecurity incident(s).

The final rules direct registrants, in providing such disclosure, to consider addressing the following nonexhaustive list of considerations, as applicable:

• Whether and how any such processes have been integrated into the registrant's overall risk management system or processes;
• Whether the registrant engages assessors, consultants, auditors or other third parties in connection with any such processes; and
• Whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.

Governance

Finally, Item 106(c) will require registrants to (i) describe the board of directors' oversight of risks from cybersecurity threats, (ii) if applicable, identify any board, committee or subcommittee responsible for such oversight, and (iii) describe the processes by which the board or committee is informed about such risks.

Item 106(c) will also direct registrants to describe management's role and expertise in assessing and managing material risks from cybersecurity threats. The disclosure should address, among other considerations, the following:

• Whether and which management positions or committees are responsible for assessing and managing such risks, and the relevant expertise of persons or members in detail as necessary to fully describe the nature of the expertise;
• The processes by which such persons or committees are informed about and monitor the prevention, detection, mitigation and remediation of cybersecurity incidents; and
• Whether such persons or committees report information about such risks to the board of directors or a committee or subcommittee of the board of directors.

These disclosures regarding cybersecurity risk management, strategy and governance will be required in a registrant's annual report on Form 10-K. The SEC did not adopt the proposed rules that would have required disclosure about the cybersecurity expertise, if any, of a registrant's board members.

Foreign private issuers will be required to provide comparable periodic disclosures on Form 20-F.

What's Next?

The final rules will become effective 30 days following the incoming publication of the adopting release in the Federal Register. The Form 10-K and Form 20-F disclosures will be required in annual reports for fiscal years ending on or after December 15, 2023. Thus, for registrants with a calendar fiscal year, the new disclosures will be required in the Form 10-K to be filed in early 2024. The Form 8-K and Form 6-K disclosures will be due beginning the later of (i) 90 days after the date of publication in the Federal Register or (ii) December 18, 2023. Smaller reporting companies will have an additional 180 days and must begin complying with Form 8-K Item 1.05 on the later of (i) 270 days from the effective date of the rules or (ii) June 15, 2024. With respect to compliance with structured data requirements, all registrants must tag disclosures required under the final rules in eXtensible Business Reporting Language, aka XBRL, beginning one year after initial compliance with the related disclosure requirement.

The SEC has focused on cybersecurity in its annual release of priorities for at least the last 10 years and has included cybersecurity-related questions during recent examinations. Registrants should begin evaluating the role that their information security professionals, compliance professionals and management will have with respect to the new rules, specifically regarding the company's risk management, strategy and governance of its cybersecurity program and ensuring that information regarding cybersecurity incidents is promptly communicated to the persons who can evaluate whether Form 8-K disclosure is required. Additionally, companies should begin focusing now on any technology enhancements or additional resources, including personnel, necessary for compliance with the rules. The SEC has cautioned registrants not to disregard disclosures concerning cybersecurity incidents related to the third-party systems it uses in its analysis of changes and enhancements required to demonstrate its good faith efforts to comply with the final rules. The SEC is clear that the materiality determination "is not contingent on where the relevant [or compromised] electronic systems reside or who owns them." Finally, companies should ensure they have implemented adequate controls and processes related to cybersecurity and incident response. The documentation of these controls and processes, however, should not include the kinds of operational details that may be weaponized by threat actors, thereby increasing a registrant's vulnerability to a cyberattack.

For More Information

If you have any questions about this Alert, please contact Darrick M. Mix, Trina L. Glass, J. Blake Hovander, Phuong (Michelle) Ngo, any of the attorneys in our Corporate Practice Group or the attorney in the firm with whom you are regularly in contact.

Footnote

1. Pursuant to Item 106(a) of Regulation S-K, a "cybersecurity incident" means an unauthorized occurrence, or a series of related unauthorized occurrences, on or conducted through a registrant's information systems that jeopardizes the confidentiality, integrity, or availability of a registrant's information systems or any information residing therein.